{ "schema_version": "1.4.0", "id": "GHSA-m94c-37g6-cjhc", "modified": "2022-02-08T21:01:39Z", "published": "2021-08-23T19:42:15Z", "aliases": [ "CVE-2021-37695" ], "summary": "Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML.", "details": "### Affected packages\nThe vulnerability has been discovered in [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) plugin. All plugins with [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) plugin dependency are affected:\n\n* [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects)\n* [Link](https://ckeditor.com/cke4/addon/link)\n* [Flash](https://ckeditor.com/cke4/addon/flash)\n* [Iframe](https://ckeditor.com/cke4/addon/iframe)\n* [Forms](https://ckeditor.com/cke4/addon/forms)\n* [Page Break](https://ckeditor.com/cke4/addon/pagebreak)\n\n### Impact\nA potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2.\n\n### Patches\nThe problem has been recognized and patched. The fix will be available in version 4.16.2.\n\n### For more information\nEmail us at security@cksource.com if you have any questions or comments about this advisory.\n\n### Acknowledgements\nThe CKEditor 4 team would like to thank Mika Kulmala ([kulmik](https://github.com/kulmik)) for recognizing and reporting this vulnerability.\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "ckeditor4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.16.2" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37695" }, { "type": "WEB", "url": "https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58" }, { "type": "PACKAGE", "url": "https://github.com/ckeditor/ckeditor4" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-08-23T17:15:12Z", "nvd_published_at": "2021-08-13T00:15:00Z" } }